AD CS: CA database and log files should not be stored on the system drive

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server® 2008 R2 and Windows Server® 2012

Product/Feature

Active Directory Certificate Services

Severity

Warning

Category

Configuration

Issue

This certification authority (CA) is configured to store the certificate database or log files on the system drive.

Impact

Database and log files can grow very large and can possibly consume all available disk space. If these files are located on the system drive, then this can cause the operating system to fail.

The system drive stores the operating system files, and it is critical to maintain free space on the system drive to allow the operating system to function normally.

Resolution

Move the certificate database and log files to a non-system drive, and update the CA configuration to reflect the new location.

The CA database and log files grow during normal operations and should be periodically maintained to reduce their size. It is also a best practice to store the CA database and log files on a non-system drive to ensure that growth of the CA database does not affect the operating system.

To move the CA database and log files, follow these procedures. Detailed steps are given in the procedures that follow.

  1. Identify the current directories of the CA database and log files.

  2. Stop Active Directory Certificate Services.

  3. Move the CA database and log files from their current directories to new directories on a non-system drive.

  4. Update the registry with the new directories.

  5. Start Active Directory Certificate Services.

To move the CA database and log files to a non-system drive

  • Identify the current directories of the CA database and log files.

    1. On the CA, open the Registry Editor.

    2. Select the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration .

    3. The following registry values define the directories that store the CA database and log files. For a CA configured with the default values, the CA database and log files are stored in a single directory; for example, C:\Windows\System32\CertLog.

      1. DBDirectory

      2. DBLogDirectory

      3. DBSystemDirectory

      4. DBTempDirectory

  • Stop Active Directory Certificate Services.

    1. On the CA, open a command prompt, and type CertUtil.exe –shutdown .

  • If the CA database and log files are currently stored in a single directory and you plan to use a single directory for the new location, move the directory and its contents to a non-system drive.

    1. On the CA, start Windows Explorer.

    2. Navigate to the directory identified previously in step 3.

    3. Right-click the directory containing the CA database and log files, and click Cut .

    4. Navigate to a non-system drive, right-click a directory, and click Paste .

    5. Note the new path to the directory.

  • Update the registry with the new directories.

Warning

You should save the registry data before using this procedure. Restore the saved registry data if AD CS does not start properly after changing the CA configuration. For detailed procedures, see Import or Export Registry Keys. 

1.  Using the Registry Editor, select the key **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\CertSvc\\Configuration** .

2.  Double-click the **DBDirectory** value to open the **Edit String** dialog box.

3.  In **Value Data** , type the new path to the directory containing the CA database and log files, and click **OK** .

4.  Perform step 3 for each of the following registry values.
    
    1.  DBDirectory  
          
    2.  DBLogDirectory  
          
    3.  DBSystemDirectory  
          
    4.  DBTempDirectory

  • Start Active Directory Certificate Services.

    1. Open a command prompt as Administrator, type net start CertSvc .

Note

AD CS reads the registry values during startup and will not start if the CA database files are not found in the specified locations. If AD CS fails during startup, verify the data in the registry keys.

Additional references